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Abstract. In AFRICACRYPT 2010, Abdalla et al. first proposed a 
slight modification to the computations steps of the BD protocol, called 
mBD+P. Then they extended mBD+P protocol into mBD+S protocol. 
In this paper, we show that both of mBD+P and mBD+S protocols 
are vulnerable to malicious insiders attack. Further, we propose a simple 
countermeasure against this attack. 
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1 Introduction 

Group key exchange (GKE) enables three or more parties to agree upon a com- 
mon secret session key in the open network for secure group communication. 
However, GKE protocols is currently less well understood than the case of two- 
party key exchange protocols. Many security attributes have so far been ignored 
for the case of GKE protocols. 

In 2009, Manulis proposed flexible GKE protocols 1 utilizing the well-known 
parallel Diffie-Hellman key exchange (PDHKE) technique in which each party 
uses the same exponent for the computation of peer-to-peer (p2p) keys with its 
peers. Further, Manulis investigated possible optimizations of these protocols 
allowing parties to re-use their exponents to compute both group and p2p keys, 
and showed that not all such GKE protocols could be optimized, which included 
the original Burmester-Desmedt (BD) GKE protocol [2]. 

Recently, Abdalla et al. used the more generalized and flexible approach than 
Manulis's scheme to propose two GKE protocols: mBD+P and mBD+S [3], 
which are based on the well-studied BD GKE protocol. The mBD+P protocol 
is modified for obtaining the secure merge of BD and PDHKE. The mBD+S 
protocol as the extension of the mBD+P protocol gets the ability to compute 
an independent session key for any possible subgroup of the initial GKE users. 
In addition, the authentication procedure in their protocols is similar to the 
general authentication technique from [4| and both of mBD+P and mBD+S 
protocols are proven the security in the random oracle model. In this paper, we 



will show that their protocols are vulnerable to malicious insider attack. Under 
our attack, malicious insiders can disrupt establishment of a common group 
session key among all group members. Furthermore, we improve their protocols 
and use key confirmation technique to overcome this secure flaw. 

The rest of this paper is organized as follows. In Section 2, we briefly review 
Abdalla et al.'s protocols. In Section 3, we show that their protocols can't resist 
malicious insiders attack. In Section 4, we propose our improvement to repair 
this secure flaw. Finally, the conclusions will be given in Section 5. 

2 Review of mBD+P and mBD+S Protocols 

In this section, we briefly review mBD+P and mBD+S protocols proposed by 
Abdalla et al. in 2010. In Table 1, we list the abbreviations and notations used 
in mBD+P and mBD+S protocols. For more details, we refer to [3J. 



Table 1. The notations 



Notations 


Description 


q 


A large prime 


r 


Security parameter 


G 


A cyclic additive group of order q 


Hg , Hp , H a 


Random oracles from {0, 1}* to {0, 1} T 


H 


Random oracle from G to {0, 1} T 


n 


The number of users 


Ux,U 2 ,...,U n -t,U n 


Users 


Sign 


A digital signature scheme 


s k i 


Signature private key 


ph 


Verification public key 



2.1 mBD+P Protocol 

In this subsection, we briefly review the mBD+P protocol, which includes two 
stages: group stage and p2p stage. On the correctness of key computation and 
the security analysis of the mBD+P protocol refer to [3J. 

Group Stage Let the group users be defined by pid=(Ui, ...,U n ). In the fol- 
lowing description we assume that user indices form a cycle such that Uo = U n 
and U n+ i = U\. 

[Round 1]. Each Ui computes g/j = g Xi for some random a;, Gr Z q and 
broadcasts (Ui,yi). 

[Round 2]. Each Ui proceeds as follows: 



- lets sidi = (Ui|j/i,...,U„|y n ), 



— computes k[_ lti = and k' il+1 = yf*_ v 

— z i-i,i = H{k[_ l % ,sidi) and z' ifi+1 = H(k[ l+1 , sidi), 

— Zi — z i _ 1 ^ i © ^^i-l-l j 

— cr, = Sign(ski, (Ui, z t , sick)), 

— broadcasts (Ui, Zi, <Xj). 

[Group Key Computation]. Each £/j checks whether zi © ... © z n = and 

whether all received signatures aj are valid and aborts if any of these checks 
fails. Otherwise, f/j proceeds as follows: 

— iteratively for each j = i, i + n — 1, computes z'j j+1 = z'j-i j ® %j 

— accepts fcj = H g (z[ 2 , z^ l7 sidj) as the group session key. 

P2P Stage 

[P2P Key Computation]. On input any user identity Uj £ pidi the 
corresponding user Ui proceeds as follows: 

— computes fc,- ^ = t/J* = g XiX * , 

— accepts kij = H p [k^ j, Ui\yi, Uj\yj) as the two-party session key. 
2.2 mBD+S Protocol 

In this subsection, we briefly review the mBD+S protocol, which also includes 
two stages: group stage and subgroup stage. Since the group stage of the mBD+S 
protocol is same as that of the mBD+P protocol, here we omit the details. On 
the correctness of key computation and the security analysis of the mBD+S 
protocol refer to [3], Next, we only introduce the subgroup stage. 

Subgroup Stage On input any user identity spid C pid the corresponding users 
perform the following steps. We assume that spid = (Ui, U m ) with m < n 
and that = U m and t/ m +i = U%. 

[Round 1]. Each Ui £ spid proceeds as follows: 

— extracts ssidi — (U±\yi, U m \y m ) from sidi, 

— computes k[_ X l = y x t l x and k' l t+1 = y**_ v 

— = H(k' l _ l l ,sid l ) and z' i>i+1 = H(k' l l+1 ,sid t ), 

— Zi = z i _ 1 j © z i>i+1 , 

— <7i = Sign(ski, (Ui, z i7 ssidi)), 

— broadcasts (Ui, Zi, tjj). 

[Subgroup Key Computation]. Each Ui checks whether z\ @ ... © z m = 

and whether all received signatures <jj are valid and aborts if any of these 
checks fails. Otherwise, Ui proceeds as follows: 

— iteratively for each j = i, ...,i + m — 1, computes z'a j+1 = z'^_ 1 • © Zj 

— accepts ki ; j = H s (z[ 2 , z' m 1 , ssidi) as the subgroup session key. 



3 Insider Attack on mBD+P and mBD+S Protocols 



In this section, we propose our attack to the group stage of their protocols. Our 
attack is similar to Lee and Lee's cryptanalysis [5] on Jung's scheme [6]. Under 
our attack, two malicious insiders can victim a user to agree a different group 
session key from other users. We note that this attack also can be mounted to 
the subgroup stage in the similar way. 

Suppose that users Ui-i and Ui+i are two malicious insiders. They are going 
to deceive Ui into believing that Ui shares a common group session key with 
other users after execution of the group stage of the mBD+P protocol or the 
mBD+S protocol, while in fact Ui does not have the common group session key. 
All group users honestly execute the protocol during setup phase. In the group 
stage, two malicious insiders Ui-\ and CA+i try to disrupt the protocol as follows: 

[Round 1]. Each Ui (for 1 < I < n) computes yi = g xi for some random value 
xi Er Z q and broadcasts (Ui,yi). 

[Round 2]. Each Uj (for 1 < j i — 1, i + 1 < n) proceeds as follows: 

- lets sidj = (Ui\yi, U n \y n ), 

- computes k'j_ h j = y*j ■ and k' j>j+1 = y'_ . ,. 

~ = H ( k j-i,j> sid i) and z j,j+i = H ( k 'j,j+i> sid j)> 

~ z j = z j-i,j ® z j,j+i> 

- <7j — Sign(skj, (Uj, Zj, sidj)), 

- broadcasts (Uj,Zj,Oj) (for 1 < j ^ i — 1, i + 1 < n). 
Malicious insider L^_i proceeds as follows: 

- lets sid^i = (Ui\yi,...,U n \y n ), 

- computes k[_ 2 l _ Y = y^ 1 and k[_ Y l = yf" 1 , 

- z 'i-2,i-i = H '(K-2, t -n si dt-i) and z[_ X l = H(k[_ l l ,sid. l ^ 1 ), 

- Zi-i = z' i _ 2 i _ 1 © z[_ x i © r M , where r M Er Z q chosen by U^\ and U l+ i. 

- <7i-i = Sign(ski-i, (Ui-i, Zi_x, sid.^)), 

- broadcasts (Ui-i, (Ti-i). 

Malicious insider Ui+i proceeds as follows: 

- lets sid i+1 = (Ui\yi,...,U n \y n ), 

- computes k' l l+1 = y* i+1 and k' l+l l+2 = y^ 1 , 

- Z 'i,i+1 = H ( k L+l' si ^+l) aild Z »+M+2 = H ( k i+l,t+2> si ^+l)i 

- z i+1 = z' iti+1 © z' i+l i+2 © r M , where r M Er Z q chosen by Ui-i and U i+ i. 

- Oi+i = Sign(ski + i,(U i+ i,z l+ i,sid l+ i)) 

- broadcasts (£/j+i, Zt+i, <Ji+i)- 

[Group Key Computation]. Each Ui checks whether Z\ © ... © z n — and 

whether all received signatures aj are valid and aborts if any of these checks 
fails. Otherwise, all group members except victim Ui proceed as follows: 

- iteratively for each j = I, I + n — 1, computes z'j J+1 = z'j-\ j © Zj 



- accepts 

h = H g (z' 12 i •■•! z i-2,i-li Z 'i-l,i ® r M 1 z 'i,i+l ffi r M, z [+l,i+2i —i Z 'n,li s ^z)> 

where 1 < I ^ i < n as the group session key. 
Ui proceeds as follows: 

- iteratively for each j = i, i + n — 1, computes ■ - +1 = z'j_ij © 2j 

- accepts ki = 

Hg( z 'l,2 ® r Mi ■••) 2 ; j'_2 ! i_l ®t*Mi z 'i+l,i+2 ® r M , z ' n .\ ® r Mi sidi) 

as the group session key. 

Since H g is a random oracle, it is obvious that the session key fcj computed 
by Ui is different from the group session key ki (for 1 < / ^ i < n) computed by 
other users. 

4 Improvement of mBD+P and mBD+S Protocols 

In this section, we propose an effective countermeasure against malicious insider 
attack. The main idea to prevent the malicious insider attack is that we add an 
additional round for key confirmation to the group stage of the original mBD+P 
and mBD+S protocols. In the improvement of mBD+P and mBD+S protocols 
descriptions, we add two random oracles: H is a random oracle from {0, 1}* to 
{0, l} 2r and Hi- C is a random oracle from {0, 1}* to {0, 1} T . Next, we describe 
the details of our improvement. 

[Round 1]. Each Ui computes t/j = g Xi for some random Xi Gr Z q and 
broadcasts (Ui,yi). 

[Round 2]. Each £/, proceeds as follows: 

- lets sidi = {Ui\yi,...,U n \y n ), 

- computes k'^ l l = y^ and k' l l+1 = yf*_ lt 

- z 'i-i,i = H (K-i,i,sidi) and = H{k' i i+l ,sidi), 

- z i — z i-\,i © 

- Gi = Sign(ski, (Ui, z i: sidi)), 

- broadcasts (Ui,Zi,Oi). 

[Group Key Computation]. Each Ui checks whether z\ © ... © z n = and 
whether all received signatures <jj are valid and aborts if any of these checks 
fails. Otherwise, Ui proceeds as follows: 

- iteratively for each j — i, i + n — 1, computes z'j j +1 = © Zj 

- computes (h,kf c ) = H' g (z' 12 ,...,z' n l ,sidi). 

[Key Confirmation Message]. Each Ui proceeds as follows: 



— computes 



Mi = H kc (kf c , sidi), <rf = Sign(ski, {U u M u sid,)) 
— broadcasts (Ui, Mi,a^ c ). 

[Round 3]. Each Ui checks whether Mi = Mj (for 1 < j ^ i < n) and whether 
all received signatures ct| c are valid and aborts if any of these checks fails. 
Otherwise, Ui completes the session by accepting ki as the common group 
session key. 

With this improvement, all group users can verify whether their group ses- 
sion key are computed in the same key material and find whether there exists 
malicious insiders. This simple countermeasure is also effective to the subgroup 
stage of mBD+S protocol. 

5 Conclusion 

The design of secure GKE protocols has been proved to be a non-trivial task. 
Many GKE protocols had appeared in the literature that subsequently were 
proved to be flawed. In this paper, we point out that Abdalla et al.'s protocols 
cannot satisfy a security goal, which is to make all group users share a common 
group session key. The group stage and subgroup stage of their protocols suffer 
from malicious insiders colluding attack. Two malicious insiders can cheat a 
user into accepting a different session key from other users. Further, we propose 
an improvement of their protocols with key confirmation to repair this security 
weakness. 
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